(声明：魏滔序原创，转贴请注明出处。)
      Viking的肆虐让很多受害者忍无可忍，更可气的是专业软件公司提供的专杀工具竟然无法彻底清除。
      无奈之余自己动手写了一个，请需要的朋友到这里下载：http://www.chenoe.com
       该工具可以有效解除被感染的exe中的病毒并还原exe文件，网上的大部分工具是直接删除exe文件。另外，本工具还具有Viking免疫功能。

        下载后直接运行即可查杀，如果查杀几次都有无法关闭的进程的，重新启动一下计算机继续查杀应该可以杀掉。直到病毒数为0时为止。

        另外提供该工具中结束进程部分的代码，结束进程一般采用TerminateProcess函数，但是对于比较顽固的进程就要用非常规的手段来Kill了。
        我的方法是，先提高本程序为Debug级别的权限。再用TerminateProcess关闭，如果失败就枚举该进程中的线程并用TerminateThread关闭。然后再用TerminateProcess结束进程。这样就基本上可以关闭99％的非系统进程了。
        还有，对于被注入了病毒dll的进程，要先枚举进程中的模块并判断。然后决定是否Kill，Kill方法同上。

以下为进程、线程、模块相关的代码：
Private Declare Function CreateToolhelp32Snapshot Lib "kernel32" (ByVal lFlags As Long, ByVal lProcessID As Long) As Long
Private Declare Function Process32First Lib "kernel32" (ByVal hSnapshot As Long, uProcess As PROCESSENTRY32) As Long
Private Declare Function Process32Next Lib "kernel32" (ByVal hSnapshot As Long, uProcess As PROCESSENTRY32) As Long
Private Declare Function Thread32First Lib "KERNEL32.dll" (ByVal hSnapshot As Long, ByRef lpte As THREADENTRY32) As Long
Private Declare Function Thread32Next Lib "KERNEL32.dll" (ByVal hSnapshot As Long, ByRef lpte As THREADENTRY32) As Long
Private Declare Function Module32First Lib "KERNEL32.dll" (ByVal hSnapshot As Long, ByRef lppe As MODULEENTRY32) As Long
Private Declare Function Module32Next Lib "KERNEL32.dll" (ByVal hSnapshot As Long, ByRef lpme As MODULEENTRY32) As Long
Private Declare Function TerminateProcess Lib "kernel32" (ByVal hProcess As Long, ByVal uExitCode As Long) As Long
Private Declare Function TerminateThread Lib "kernel32" (ByVal hThread As Long, ByVal dwExitCode As Long) As Long
Private Declare Function OpenProcess Lib "kernel32" (ByVal dwDesiredAccess As Long, ByVal bInheritHandle As Long, ByVal dwProcessId As Long) As Long
Private Declare Function OpenThread Lib "KERNEL32.dll" (ByVal dwDesiredAccess As Long, ByVal bInheritHandle As Long, ByVal dwThreadId As Long) As Long
Private Declare Function CloseHandle Lib "kernel32" (ByVal hObject As Long) As Long

Private Const TH32CS_SNAPPROCESS = &H2
Private Const TH32CS_SNAPTHREAD = &H4
Private Const TH32CS_SNAPMODULE As Long = &H8

Private Const PROCESS_TERMINATE As Long = (&H1)
Private Const MAX_PATH As Integer = 260

Private Type PROCESSENTRY32
    dwsize As Long
    cntusage As Long
    th32ProcessID As Long
    th32DefaultHeapID As Long
    th32ModuleID As Long
    cntThreads As Long
    th32ParentProcessID As Long
    pcPriClassBase As Long
    dwFlags As Long
    szExeFile As String * MAX_PATH
End Type

Private Type MODULEENTRY32                                          '模块
    dwsize   As Long
    th32ModuleID   As Long
    th32ProcessID   As Long
    GlblcntUsage   As Long
    ProccntUsage   As Long
    modBaseAddr   As Byte
    modBaseSize   As Long
    hModule   As Long
    szModule   As String * 256
    szExePath   As String * 1024
End Type

Private Type THREADENTRY32                                          '线程
    dwsize   As Long
    cntusage   As Long
    th32threadID   As Long
    th32OwnerProcessID   As Long
    tpBasePri   As Long
    tpDeltaPri   As Long
    dwFlags   As Long
End Type

Public Function KillThread(ByVal ProcessID As Long) As Boolean
    Dim hThread As Long, r As Long, i As Long
    Dim TList() As THREADENTRY32

    TList = GetThreadList(ProcessID)

    For i = 0 To UBound(TList)
        With TList(i)
            hThread = OpenThread(PROCESS_TERMINATE, False, .th32threadID)    '获取进程句柄
            If hThread <> 0 Then
                r = TerminateThread(hThread, 0)            '关闭进程
            End If
        End With
    Next
    KillThread = r <> 0
End Function

Public Function KillProcess(ByVal ProcessName As String, Optional ByVal bKillThread As Boolean) As Boolean
    Dim hProcess As Long, r As Long
    Dim PList() As PROCESSENTRY32
    Dim Name As String, i As Long

    PList = GetProcessList

    For i = 0 To UBound(PList)
        With PList(i)
            Name = Left(.szExeFile, InStr(1, .szExeFile, vbNullChar) - 1)
            DoEvents
            Form1.lbState.Caption = "正在内存查毒： " & Name
            r = InModule(.th32ProcessID, ProcessName)

            If LCase(Trim(Name)) = LCase(Trim(ProcessName)) Or r Then
                hProcess = OpenProcess(PROCESS_TERMINATE, False, .th32ProcessID)    '获取进程句柄
                If hProcess <> 0 Then
                    r = TerminateProcess(hProcess, 0)      '关闭进程
                    If r Then
                        AddLog Name, "已结束进程"
                    Else
                        If bKillThread Then
                            If KillThread(.th32ProcessID) Then
                                AddLog Name, "已结束线程"
                            Else
                                AddLog Name, "线程结束失败"
                            End If
                        End If
                        r = TerminateProcess(hProcess, 0)  '关闭进程
                        If r Then
                            AddLog Name, "已结束进程"
                        Else
                            AddLog Name, "进程结束失败"
                        End If
                    End If
                Else
                    AddLog Name, "无法获得进程句柄"
                End If
            End If

        End With
    Next
End Function

Private Function GetThreadList(ByVal ProcessID As Long) As THREADENTRY32()
    Dim i As Long
    Dim TList() As THREADENTRY32
    Dim TE32 As THREADENTRY32
    Dim hThreadSnap As Long
    Dim TheLoop As Long

    hThreadSnap = CreateToolhelp32Snapshot(TH32CS_SNAPTHREAD, ProcessID)
    TE32.dwsize = Len(TE32)

    TheLoop = Thread32First(hThreadSnap, TE32)
    While TheLoop <> 0

        If TE32.th32OwnerProcessID = ProcessID Then
            ReDim Preserve TList(i)
            TerminateThread TE32.th32threadID, 0
            TList(i) = TE32
            i = i + 1
        End If

        TheLoop = Thread32Next(hThreadSnap, TE32)
    Wend

    CloseHandle hThreadSnap
    GetThreadList = TList
End Function

Private Function GetProcessList() As PROCESSENTRY32()
    Dim i As Long
    Dim PList() As PROCESSENTRY32
    Dim PE32 As PROCESSENTRY32
    Dim hProcessSnap As Long
    Dim TheLoop As Long

    hProcessSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0)
    PE32.dwsize = Len(PE32)

    TheLoop = Process32First(hProcessSnap, PE32)
    While TheLoop <> 0
        ReDim Preserve PList(i)
        PList(i) = PE32
        i = i + 1
        TheLoop = Process32Next(hProcessSnap, PE32)
    Wend

    CloseHandle hProcessSnap
    GetProcessList = PList
End Function

Private Function GetModuleList(ByVal ProcessID As Long) As MODULEENTRY32()
    Dim i As Long
    Dim MList() As MODULEENTRY32
    Dim ME32 As MODULEENTRY32
    Dim hModuleSnap As Long
    Dim TheLoop As Long

    hModuleSnap = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE, ProcessID)
    ME32.dwsize = Len(ME32)

    TheLoop = Module32First(hModuleSnap, ME32)
    While TheLoop <> 0
        ReDim Preserve MList(i)
        MList(i) = ME32
        i = i + 1
        TheLoop = Module32Next(hModuleSnap, ME32)
    Wend

    CloseHandle hModuleSnap
    GetModuleList = MList
End Function

Private Function InModule(ByVal ProcessID As Long, ByVal ModuleName As String) As Boolean
    Dim i As Long
    Dim MList() As MODULEENTRY32
    Dim Name As String
   
    On Error GoTo Err:

    MList = GetModuleList(ProcessID)

    For i = 0 To UBound(MList)
        With MList(i)
            Name = Left(.szModule, InStr(1, .szModule, vbNullChar) - 1)
            If LCase(Name) = LCase(ModuleName) Then
                InModule = True
                Exit For
            End If
        End With
    Next
Err:
End Function

'这个是显示的杀毒记录
Sub AddLog(txt1 As String, txt2 As String)
    Dim Item As ListItem
    Set Item = Form1.lv.ListItems.Add(, , txt1)
    Item.SubItems(1) = txt2
End Sub

以下为设置本程序权限级别的代码，在程序加载前调用EnableDebugPrivilege即可：
Private Type LARGE_INTEGER
    lowpart As Long
    highpart As Long
End Type

Private Const ANYSIZE_ARRAY As Long = 1
Private Const SE_PRIVILEGE_ENABLED As Long = &H2
Private Const TOKEN_ADJUST_PRIVILEGES As Long = &H20
Private Const TOKEN_QUERY As Long = &H8

Private Type LUID_AND_ATTRIBUTES
    LUID As LARGE_INTEGER
    Attributes As Long
End Type

Private Type TOKEN_PRIVILEGES
    PrivilegeCount As Long
    Privileges(ANYSIZE_ARRAY) As LUID_AND_ATTRIBUTES
End Type

Private Declare Function LookupPrivilegeValue Lib "advapi32.dll" Alias "LookupPrivilegeValueA" (ByVal lpSystemName As String, ByVal lpName As String, ByRef lpLuid As LARGE_INTEGER) As Long
Private Declare Function AdjustTokenPrivileges Lib "advapi32.dll" (ByVal TokenHandle As Long, ByVal DisableAllPrivileges As Long, ByRef NewState As TOKEN_PRIVILEGES, ByVal BufferLength As Long, ByRef PreviousState As Long, ByRef ReturnLength As Long) As Long
Private Declare Function GetCurrentProcess Lib "KERNEL32.dll" () As Long
Private Declare Function GetCurrentProcessId Lib "KERNEL32.dll" () As Long

Private Declare Function CloseHandle Lib "KERNEL32.dll" (ByVal hObject As Long) As Long
Private Declare Function OpenProcessToken Lib "advapi32.dll" (ByVal ProcessHandle As Long, ByVal DesiredAccess As Long, ByRef TokenHandle As Long) As Long
Private Declare Function GetLastError Lib "KERNEL32.dll" () As Long

Function EnableDebugPrivilege() As Boolean
    Dim TP As TOKEN_PRIVILEGES
    Dim hToken As Long, r As Long, e As Long

    r = OpenProcessToken(GetCurrentProcess, TOKEN_ADJUST_PRIVILEGES Or TOKEN_QUERY, hToken)
    e = GetLastError
'    Err.Raise 6
    If r And Not e Then
        r = LookupPrivilegeValue(vbNullString, "SeDebugPrivilege", TP.Privileges(0).LUID)
        e = GetLastError

        If r And Not e Then
            TP.PrivilegeCount = 1
            TP.Privileges(0).Attributes = SE_PRIVILEGE_ENABLED

            r = AdjustTokenPrivileges(hToken, False, TP, LenB(TP), 0, 0)
            EnableDebugPrivilege = GetLastError = 0
        End If
    End If
    Call CloseHandle(hToken)
End Function